Re[4]: suggestions on a good firewall

[Malte von dem Hagen <DocValde () gmx de>]

Hallo Jeff,
am Mittwoch, 21. Mai 2003 um 19:45:44 schrieben Sie:

> > Hallo Jeff,
> > am Dienstag, 20. Mai 2003 um 18:35:30 schrieben Sie:
> >
> >
> > First of all, a firewall is a concept and not a machine, so one has to
> > chose a concept for it. You cannot compare a Cisco Router with Firewall

> I did not say Cisco Router with Firewall i said Cisco and ment the PIX line

Even the PIX as a stateful inspection firewall isn't comparable to an
Application Level Gateway as the Raptor is. They are serving different
needs.


> > Feature Set to a Raptor. If one needs a packet filter-like firewall
> > component, i would always recommend OpenBSD - not Linux, not Cisco or
> > anything else.
> > Why? Because OpenBSD is one of the most secure Operating Systems, and
> > that's one of the most important points when chossing a firewall
> > component. You need a secure and stable platform. The BSD Unices (all of
> > them) are such a platform - more secure and more stable than Linux, even
> > than Cisco IOS.

> I would disagree with the assumption the BSD is more secure that Cisco IOS
> I would be interested in any facts you might have on the subject tho?

Well, first of all, BSD is OpenSource, Cisco IOS isn't. Open Source per
se is more secure than closed source because it delivers powerful tools
for code quality as peer review, for example.
Second, take a look at the security mailing lists like Bugtraq: You'll
find more remote vulnerabilities for Cisco IOS than for OpenBSD. IMHO,
that indicates a higher code quality regarding security issues.


> > Everyone with rudimental knowledge in Unix-based systems can set up and
> > maintain such a system, when he or she is willing to read and learn a
> > bit. It is not as difficult as it may seem...
> true
>  the *ixes are not hard at all to learn and maintain

They are, if you are unexperienced and want to have a complete and
comfortable desktop system. BUt we talk about firewalling services, and
these don't involve too much parts of the system. It's just the ruleset,
logging and a little bit of system hardening.
But we agree in this point. :-)


> > Only exception: A medium to large network with
> single-vendor-Cisco-strategy.
> > In that scenario, it may be useful to choose a PIX, for management
> > reasons.
> true
> there are some great tools for line PIX firewalls line

I had the Cisco Secure Policy Manager in mind. If you manage a bunch of
routers and switches with it, it will be a lot easier to integrate one
further system like a PIX in this concept than to set up a totally new
and different one like an BSD Firewall.

I don't stand here and state the Cisco PIX Firewalls as "insecure".
I only trust BSD a bit more and favour Open Source. Furthermore, I think
BSD Firewalls are manageable quite comfortable. Anyone with basic Unix
knowledge doesn't has to learn a lot new stuff, and can use the new
knowledge and abilities in other fields of Unix. BSDs can be
extremely powerful systems, especially when you take a look at the new
possibilities in FreeBSD 5.0 (jailing, file ACLs...).

Regards,

Malte.

-- 
Malte von dem Hagen

DocValde () gmx de
http://www.docvalde.net/


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------